Find notable cyber news and cases, enriched with sources, timelines, and signals.

SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce

Campaign
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

A SideWinder campaign used four waves of spear-phishing from March through September 2025, reaching a European embassy in New Delhi and organizations in Sri Lanka, Pakistan, and Bangladesh. The operation matters because it pairs diplomatic targeting with espionage-focused malware delivery, raising the risk of credential theft and hidden access. It also shows a shift to a PDF and ClickOnce infection chain layered on top of earlier Word-based tradecraft.

Related Happenings

WhatsApp VBScript attachment distribution campaign

Campaign
H score42 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...

Grandoreiro DLL side-loading campaign targeting banks in Portugal

Campaign
H score26 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
H score38 First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

Evasive Panda DNS poisoning MgBot espionage campaign

Campaign
H score33 First: 26.12.2025 16:44 Last: 26.12.2025 16:44 Sources 1

About this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...

Timeline

  1. 28.10.2025 06:01 1 articles · 8mo ago

    SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce

    Initial Disclosure

    The initial phase began with **spear-phishing emails** sent in **four waves** from **March through September 2025**. Early lures used **PDF** and **Microsoft Word** documents to pull targets into the infection chain.

    Show sources